WebApp Sec mailing list archives

Re: htaccess with apache

From: "Sverre H. Huseby" <shh () thathost com>
Date: Tue, 4 Nov 2003 22:34:20 +0100

[A.D.Douma]

|   My question is what else could an attacker do? Would command
|   execution be possible?

Sometimes.  If the code looks somewhat like this:

    # first get $filename from the arguments.  then:
    open(F, $filename);

the attacker could make sure $filename was represented as eg:

    find / -ls |

Note the trailing bar, which instructs Perl to open a pipe from the
given command.  One should explicitely tell Perl to open a _file_ for
reading:

    open(F, "<" . $filename);

In addition, one should of course make sure the filename contains only
reasonable characters.


Sverre.

-- 
shh () thathost com
http://shh.thathost.com/

Current thread:

htaccess with apache Hans Mueller (Nov 04)
- Re: htaccess with apache David Precious (Nov 04)
- Re: htaccess with apache Graham Lally (Nov 04)
  - Re: htaccess with apache Tim Greer (Nov 04)
    - Re: htaccess with apache A.D.Douma (Nov 04)
    - Re: htaccess with apache Tim Greer (Nov 04)
    - Re: htaccess with apache Sverre H. Huseby (Nov 04)
    - Re: htaccess with apache Tim Tompkins (Nov 04)
    - Re: htaccess with apache Lucas Holt (Nov 04)
    - Re: htaccess with apache A.D.Douma (Nov 05)
    - Re: htaccess with apache Graham Lally (Nov 04)
    - Re: htaccess with apache Tim Greer (Nov 04)
    - Re: htaccess with apache António Vasconcelos (Nov 05)
    - Re: htaccess with apache Tim Greer (Nov 05)
    - Re: htaccess with apache António Vasconcelos (Nov 06)
    - Re: htaccess with apache Tim Greer (Nov 06)
    - Re: htaccess with apache António Vasconcelos (Nov 11)

(Thread continues...)